Independent Audit Verifies Zoomorphix Systems’ Internal Controls and Processes

Zoomorphix Systems, a computer based testing company, today announced that it has completed its SOC 2 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that Zoomorphix Systems has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness Zoomorphix Systems’ controls to meet the standards for these criteria.

“In this very connected world, security controls must be central to all organizations and their software systems. SOC 2 guides your organization to achieve those controls.”, said John Baker, Chief Executive Officer of Zoomorphix Systems.

“The SOC 2 audit is based on the Trust Services Criteria,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Zoomorphix Systems’ delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Zoomorphix Systems’ controls.”

About Zoomorphix Systems

Zoomorphix Systems provides all in one testing solutions and related services to professional accreditation, licensure, certification, IT and education organizations.  Our powerful ExamStudio® platform provides advanced item banking, test publishing and test delivery. Expand your market capabilities with advanced item types, brandable test delivery and multiple languages. ExamStudio’s all-in-one solution will improve your testing processes. For more information, visit  www.zoomorphix.com or email sales@zoomorphix.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.

Penetration Testing for HIPAA Compliance

Penetration testing is a critical line of defense when protecting your organization’s sensitive assets – especially Electronic Protected Health Information (ePHI). Penetration testing is the process of performing authorized security testing of an environment to identify and exploit weaknesses associated with the targeted systems, networks, and applications before those weaknesses can be exploited by a real attacker. When performed in support of HIPAA compliance, the goal is to identify issues that could result in unauthorized access to ePHI.

In this webinar, KirkpatrickPrice’s Lead Penetration Tester answers your questions about penetration testing, including:

  • What is the difference between penetration testing and vulnerability scanning?
  • Should penetration testing include a human element or can it be done using tools alone?
  • Do I have to hire a third party to perform penetration testing?
  • How often should I have penetration testing done when preparing for a HIPAA assessment?
  • Should I retest after remediation?  Should that be included from the firm I work with?
  • How do I know which level of penetration testing is right for me?  What are the options?
  • How do you choose targets in large IP address spaces?
  • What is the difference between web application penetration testing and network penetration testing?
  • Does penetration testing include API testing?
  • How do you balance applying automated tools to the target vs something manual to the target, like someone at a laptop?
  • As the IT landscape continuously grows, how do you ensure that you get the correct skills on a penetration test, since no one knows everything?
  • How does KirkpatrickPrice price penetration testing engagements?

More Penetration Testing for HIPAA Compliance Resources

HHS.gov HIPAA Security Rule for Professionals

164.308(a)(8) Standard: Evaluation

NIST SP800-66 – (HIPAA Implementation Guidance)

National Institute of Standards and Technology (NIST) SP800-115

Open Source Security Testing Methodology Manual (OSSTMM)

Open Web Application Security Project (OWASP)

Penetration Testing Execution Standard (PTES)

Penetration Testing Framework

Every business has something to lose. But…who loses sleep over it? Whose job is on the line if assets are compromised? Who cares about protecting their assets? In recent data breaches, some companies just haven’t shown the expected response when they compromise assets. Take Uber, for example. The core of Uber’s business is drivers and riders, yet they covered up a hack for over a year. Hackers stole 57 million credentials through a third-party cloud-based service, and Uber paid to cover it up. Uber knew they’d face major backlash when they exposed the cover-up because they didn’t protect their assets.

How can organizations protect their assets? Investing in penetration testing is one way to show clients, prospects, and competitors that you are willing to protect your assets and that you recognize the value of your assets. The value of penetration testing comes from the value of your assets, not the size of your company.

What Type of Assets Do You Protect?

In any industry, there are assets that need to be protected. You may not think that your organization has a “security issue,” but third-party validation through penetration testing can either validate or deny that. Cardholder data, Social Security numbers, protected health information, access credentials, intellectual property – businesses across industries need to recognize how penetration testing can protect their assets.

  • Casinos – The gaming industry has earned a reputation for strict, effective physical security. As technology advances, though, so should cybersecurity. If a casino is connected to a hotel, are the networks segmented appropriately? If not, a hacker may have found a way into the casino’s gaming network. From there, they could have access to the security cameras, the ability to manipulate odds, see payout information for each machine, alter rewards information, or worse.
  • Hotels – Cardholder data, passport information, rewards numbers, room information, security systems, and more could be compromised if a hotel is hacked. The Marriott hack exposed in 2018 is now one of the largest known thefts of personal records in history. When Marriott’s Starwood reservation system was breached, the personal data of up to 500 million guests was compromised.
  • Pharmaceutical – Production and development, intellectual property, operations, clinical trials, and laboratory results can be impacted when the pharmaceutical industry is targeted by cyberattacks. When pharma giant Merck was hit by NotPetya, it disrupted their operations across the world and production of new drugs, ultimately costing them over $600 million in 2017.
  • Utilities – The threat of power grids being attacked by nation states is becoming more real every day. In 2018, the DHS linked Russia to hacking US power suppliers and publicly spoke about the cyberattacks to warn and prepare other energy suppliers.
  • Data Centers – Whatever data is stored in a data center is under threat. Any insecure access point, like security systems, power supply, security cameras, or HVAC systems, are fair game to a hacker.
  • Retail – Cardholder data is the major asset of any retailer. The infamous 2013 Target hack is a nightmarish example of just how much data a retailer is responsible for. The compromised cardholder data of 40 million shoppers led to a $18.5 million settlement for Target.
  • Airlines – Passport details, passenger itineraries, rewards information, cardholder data, flight schedules, and the safety of passengers are things that could be compromised if an airline is hacked. Fortunately, no travel or passport details were revealed in British Airway’s 2018 data breach, but 380,000 transactions were compromised due to digital skimming on the airline’s website and app.
  • Telecommunications – Because telecom providers communicate, transmit, and store sensitive data, they are a target for cyberattacks. Telecom providers also have attacks coming from two sides: directly to their organization’s network and indirectly through their users. There are new channels of attack with every advance in technology.
  • Auto – As automakers incorporate more technology into vehicles and self-driving cars become a reality, the threat of cyberattacks on vehicles is very real. Locks, brakes, volume, AC, acceleration – it’s all been proven to be hackable.
  • Education – Educational institutions hold not only attendance and grade records, but Social Security numbers, cardholder data, billing addresses, and many other forms of personal data. Understaffed universities that hold expensive research have a target on their backs. A data breach in the education industry costs $166 per capita, according to the Ponemon Institute.
  • Insurance – Cardholder data, protected health information, and other sensitive data are assets given to insurers through websites and apps, making the insurance industry a target for cyberattacks.
  • Public Sector – 44% of local governments face cyber attacks daily. The City of Atlanta’s Ransomware attack was an unfortunate example of just how vulnerable cities are to cyber threats and how much it costs for a city to recover.
  • Banking – Social Security numbers, credit information, PINs, cardholder data, mailing addresses, email addresses, account balances – it’s all available to banks. In 2014, JPMorgan Chase was the victim of a hack that left half of all US households compromised, one of the largest thefts of consumer data in US financial institution history.
  • Hospitals – Protected health information, security systems, expensive research and prototypes, drugs, scheduling information, and operations of facilities are all assets that a hacker could hope to compromise through cyberattacks. Ransomware attacks are extensive in healthcare for this very reason. No hospital wants their computers, elevators, locks, medical devices, or HVAC system held hostage.

Seeing some similarities, here? Any industry can benefit from penetration testing. Any service provider would be embarrassed to sell something that isn’t secure. Any healthcare organization on the HHS’ “wall of shame” will be used as an example of what not to do. Any payment processor’s reputation would be tainted by compromised cardholder data. No matter the industry, organizations need to protect their assets. What is the value of your assets?

How Can Organizations Use Penetration Testing to Protect Their Assets?

Penetration testing can be used to determine how vulnerable your assets are. It puts your security intelligence in your own hands instead of a hacker’s. It shows your security strengths and weakness, then allows you to prioritize your risk levels. If you have compliance requirements, then penetration testing helps align your organization’s security with those requirements. If you do not have compliance requirements, penetration testing is a proactive way to see and analyze the holes in your security posture. Because penetration testing is a simulated yet real-world exercise, it also gives your team a chance to have true “what if” scenarios to practice incident response and, hopefully, avoid the downtime that a breach would cost in the future.

Consider all types of penetration testing and consult with a qualified consulting firm to decide which would be most beneficial for protecting your assets. Internal or external network penetration testing, web application penetration testing, API testing, mobile app penetration testing, code review, social engineering – there are many options that could be useful to your organization’s security efforts.

If you’re questioning whether or not penetration testing would be appropriate for a business of your size or in your specific industry, remember to consider the value of your assets. The value of penetration testing comes from the value of your assets, not the size of your company or your industry.

If your default belief is that we, as an auditing firm, do not employ in-house penetration testers, let us make it clear: we do. We recognize the value of your assets and want to help you find your vulnerabilities and correct them. Contact us today to learn more about our penetration testing services.

More Penetration Testing Resources

7 Reasons Why You Need a Manual Penetration Test

Not All Penetration Tests Are Created Equal

Components of a Quality Penetration Test

Independent Audit Verifies Posh’s Internal Controls and Processes

Boston, MA – Posh, a Conversational AI company that provides chatbots and phone bots to financial institutions, today announced that it has completed its SOC 2 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that Posh has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

Independent Audit Verifies Net Friends’ Internal Controls and Processes

Durham – Net Friends, a North Carolina-based IT managed services provider, today announced that it has maintained for another year its SOC 2 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that Net Friends has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of Net Friends’ controls to meet the standards for these criteria.

“The SOC 2 Type II audit is the best way to get independent confirmation that all our processes and internal controls are effective,” said John Snyder, CEO of Net Friends. “We are so pleased that yet again, the audit uncovered no issues or findings. Additionally, we took the extra step this year to add Confidentiality to our Security and Availability reviews this year, further ensuring our customers can rely on our team.” Audit findings are available for client review on request.

“The SOC 2 audit is based on the Trust Services Criteria,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Net Friends delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Net Friends’ controls.”

About Net Friends

Founded in 1997, Net Friends provides comprehensive managed IT services, cybersecurity solutions, and IT staffing services to clients in North Carolina and across the US. We are your preferred technology partners, delivering best-in-class IT solutions and tech expertise that keeps IT security front of mind. We believe in people, and we love to see our customers and community thrive through technology. We have fueled our clients’ success for over 20 years. Learn more at www.netfriends.com or follow us on LinkedIn.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.